M A N A G E M E N T

f r a u d

The Fraud Diamond: Considering the Four Elements of Fraud

By David T. Wolfe and Dana R. Hermanson

D espite intense efforts to stamp out L-orruption. misappropriation of assets, and fraudulent financial

reporting, it appears that fraud in its vari- ous foniis is a problem that is increasing in frequency and severity. KPMG's Fraud Survey 2003 documented a marked increase in overall fraud levels since its 1998 survey, with employee fraud by far the most common type of fraud. The 2003 survey also noted that fraudulent financial reporting had more than doubled from 1998. This trend is consistent with the unprecedented recent spate of large accounting frauds (Enron, WorldCom), as well as the increased number of account- ing restatements and SEC enforcement actions in recent years. (See 2003 Annual Review of Financial Reporting Matters by the Huron Consulting Group and the SEC's Report Pursuant to Section 704 of the Sarbanes-Oxley Act of 2002.)

In response to the fraud problem. Congress and regulatory authorities have enacted tougher laws and increased enforcement actions. Organizations are implementing tighter controls and broader oversight. The auditing profession has adopted more rigorous auditing standards and procedures, and softv -̂are developers are adding continuous monitoring features to back-office systems. It remains unclear whether these efforts are sufficient to mit- igate the fraud problem.

Many studies suggest fraud is more like- ly to occur when someone has an incen- tive (pressure) to commit fraud, weak con- trols or oversight provide an opportunity for the person to commit fraud, and the person can rationalize the fraudulent behavior (attitude). This three-pronged framework, commonly known as the "fraud triangle." has long been a useful tool

for CPAs seeking to understand and man- age fraud risks. The framework has been fomially adopted by the auditing profes- sion as part of SAS 99.

A Different Way to Think About Fraud Risks The authors believe that the fraud trian-

gle could be enhanced to improve both fraud prevention and detection by consid- ering a fourth element. In addition to addressing incentive, opportunity, and ratio-

nalization, the authors' four-sided "fraud diamond" also considers an individual's capability: personal traits and abilities that play a major role in whether fraud may actually occur even with the presence of the other three elements.

Many frauds, especially some of the multibillion-dollar ones, would not have occurred without the right person with the right capabilities in place. Opportunity opens the dtwrway to fraud, and incentive

EXHIBIT 1

THE FRAUD DIAMOND

Incentive Opportunity

Rationalization Capability

3 8 DECEMBER 2(M>4 / THE CPA JOURNAL

and rationalization can draw the person loward it. But the person must have the capability to recognize the open doorway as an opportunity and to take advantage of it by walking through, not just once, but lime and time again. Accordingly, the crit- ical question is. "Who could turn an oppor- tunity for fraud into reality?"

Using the four-element fraud diamond, a fraudster's thought process might pro- ceed as follows {Exhibit I): • Incentive: I want to, or have a need to. commit fraud. • Opportunity: There is a weakness in the system that the right person could exploit. Fraud is possible. • Rationalization: I have convinced myself that this fraudulent behavior is worth the risks. • Capability: 1 have the necessary traits and abilities to be the right person to pull it off. I have recognized this particular fraud opportunity and can turn it into reality.

While these four elements certainly over- lap, the primary contribution of the fraud diamond is that the capabilities to commit fraud are explicitly and separately consid- ered in the assessment of fraud risk. By doing so. the fraud diamond moves beyond viewing fraud opportunity largely in terms of environmental or situational fac- tors, as has been the praetiee under current and previous auditing standards.

For example, consider a company where the internal controls allow the pos- sibility that revenues could be recorded prematurely by altering sales contract dates in the sales system. An opportuni- ty for fraud exists, if the right person is in place to understand and exploit it. This opportunity for fraud becomes a much more serious problem if the company's CEO. who is under intense pressure to increase sales, has the technical skills to understand that the control weakness exists, can coerce the CFO and sales man- ager to manipulate the sales contract dates, and can consistently lie to analysts and board members about the company's growth. In the absence of such a CEO. the fraud p o s s i b i l i t y would never become reality, despite the presence of the elements of the fraud triangle. Thus, the CEO's capabilities arc a major factor in determining whether this control weak- ness will ultimately lead to fraud.

The Person with Capability Based on one author's experiences in

investigating frauds for the past 15 years. there are several essential traits for com- mitting fraud, especially for large sums or for a long period of time (Exhibit 2). First. the person's position or function within the organization may fumish the ability to create or exploit an opportunity for fraud

not available to others. For example, a CEO or divisional president has the positional authority to influence when contracts or deals take effect, thus affecting the timing of revenue or e x p e n s e r e c o g n i t i o n . Fraudulent Einancial Reporting: 1987-1997. An Analysis of U.S. Public Companies {Beasley et al.. 1999) found that corporate CEOs were implicated in over

MS in Taxation

on your schedule The MS in Taxation Program at Pace University's Lubin School of Business is ideally suited for the working professional. 'iTiis all-tax, intensive graduate program, designed for praaicing CPAs, has courses conveniently scheduled in the evening so thai you can complete it while maintaining yoLir airrent work schedule. Over 30 aedits in specialized lax courses conducted by faculty with extensive practical background and experience in current tax laws.

• Ail courses meet CPH credit requirements prescribed in NY and N|.

• Classes are conveniently offered in downtown Manhattan.

• MBA in Taxation and Post-Masters Advanced Professional Certificates are also available.

Learn more

U N I V E R S I T Y A New York Success Story For more information, www.pace.edu or call 1-800-874-PACE ext. A14

New York City • Pleasaniville/Briarcliff White Plains • Hudson Valley

DKCKMBKK 2 0 0 4 / THK CPA JOURNAL 3 9

70% of public-company accounting frauds. indicating that many organizations do not implement suMlcient checks and balances to mitigate the CEO's capabilities to influ- ence and perpetuate fraud. Additionally. when people perform a certain function repeatedly, such as bank reconciliations or setting up new vendor accounts, their capa- bility to commit fraud increases as iheir knowledge of the function's processes and controls expands over time.

Second, the right person for a fraud is smart enough to understand and exploit internal control weaknesses and to use position, function, or authorized access to the greatest advantage. Many of today's largest frauds are committed by intelli- gent, experienced, creative people, with a solid grasp of company controls and vul- nerabilities. This knowledge is used to leverage the person's responsibility over or authorized access to systems or assets. According lo the Association of Certified Fraud Examiners. 5 1 % of the perpetrators of occupational fraud had at least a bachelor's degree, and 49% of the fraudsters were over 40 years old. In a d d i t i o n , 4 6 % of the frauds the Association recently studied were com- mitted by managers or executives.

Third, the right person has a strong ego and great confidence that he will not be detected, or the person believes that he could easily talk himself out of trouble if caught. Such confidence or arrogance can affect one's cost-benefit analysis of engag- ing in fraud: the more confldent the per- son, the lower tbe estimated cost of fratid will be. In "The Human Face of Fraud" (C4 Magazine, May 2003), R. Allan notes that one of the common personality types among fraudsters is the "egotist"—some- one who is "driven to succeed at all costs, self-absorbed, self-confident and n;ircissis- tic." Similarly. DLifiield and Grabosky ('The Psychology of Fraud." Trends & issues in Crime and Criminal Justice. March 2001) note that, in addition to finan- cial strain. "Another aspect of motivation that may apply to some or all types of fraud is ego/power." The authors go on to quote Stotland ("White Collar Criminals." Journal of Social Issues. 1977) regarding ego: "As [fraudsters] found thetnseives suc- cessful at this crime, they began to gain some secondary delight in the knowledge that they are fooling the world, that they

are showing their superiority to others." Fourth, a sticcessful fratidster can coerce

others to commit or conceal fraud. A per- son with a very persuasive personality may be able to convince others to go along with a fraud or to simply kwk the other way. In addition. Allan notes that a common per- .sonality type among fraudsters is the "bully," who "makes unusual and significant demands of those who work for him or her, cultivates fear rather than respect … and consequently avoids being subject to the same rales and procedures as others." Many financial reporting frauds are cotnmitted by subordinates reacting to an edict from above to "make your numbers at all costs, or else."

Fifth, a successful fraudster lies effec- tively and consistently. To avoid detection. she must look auditors., investors, and others right in the eye and lie convincing- ly. She also possesses the skill lo keep track of the lies, so that the overall story remains consistent. In the Phai-Mor fratid. the audi- tors claimed that Phar-Mor had formed a "fraud team" of executives and former auditors who "continually worked to hide evidence" abtiut the fraud from them. TTie auditors claimed that the fraud team "lied. forged dtKuments and 'scrubbed' every- thing the auditors saw to hide any indica- tions of malfeasance." (See "Finding Auditors Liable for Fraud: What the Jury Heard in the Phar Mor Case." Cottrell and Glover, The CPA JournaL July 1997.)

Finally, a successful fraudster deals very well with stress. Committing a fraud and managing the fraud over a long period of time can be extremely stressful. Ttiere is the risk of detection, with its personal ram- ifications, as well as the constant need to conceal the fraud on a daily basis. Former HealthSouth CEO Richiird Scrushy now faces numerous criminal charges for allegedly masterminding a long-running scheme to inflate the company's ejimings during the terms of several different CFOs. Despite the enormous pressure on him. Scmshy has remained resolute dunng the course of the investigation, even appearing on 60 Minnies to proclaim his inmxrence. In contrast, during his sentencing, former HealthSouth Assistant Controller Emery Harris, who allegedly was coerced to par- ticipate in the fraud, told the Judge how relieved he was after the company was raided by federal agents, thinking it pro-

vided him the opportunity to finally "get out of this mess."

Dealing with Capability Appreciating the importance of capa-

bility as a fourth element of fraud is only p;ui of the challenge. The next task is to address capability when assessing fraud risk, and lo use knowledge about fraud capability to prevent or detect fraud. Beyond considering incentive, opportuni- ty, and rationalization, the following steps could shed light on capability.

Explicitly assess the capabilities of top executives and key personnel. Focusing on capability requires organizations and their auditors to better understand employ- ees' individual traits and abilities. The audit committee member, corporate accountant. or auditor should focus on the personality traits and skills of top executives and oth- ers responsible for high-risk areas when assessing fraud risk or seeking to prevent or detect fraud. Routine background checks on new employees can identify past crim- inal convictions.

In assessing individuals' traits and abilities, several methods of gathering information may be helpful. First, there is no substitute for spending time with a person. Frequent interaction under a vari- ety of circumstances, both business and social, can provide a meaningful picture

EXHIBIT 2 THE COMPONENTS OF CAPABILITY

Position/function

Brains

Confidence/ego

Coercion skills

Effective Lying

Immunity to stress

4 0 DECEMBER 2004 / THE CPA JOLiRNAL

of the person's capabilities. Second, look for signals in the "little things." If the person cuts comers on small issues or con- sistently displays an absolute refusal to lose or fail, no matter what the issue or the cost, this may suggest similar behav- ior on larger issues. For example, many have said that an executive who cheats in golf will cheat in business. Finally, pay attention to what others say about a per- son. If there are consistent statements about certain traits or tendencies, this infor- mation can supplement more direct obser- vations. For example, if people in the orga- nization are consistently in awe of some- one's technical or creative ability, this pro- vides additional insight into the person's capabilities.

A key to mitigating fraud

is to focus particular attention

on situations offering, in addition

to incentive and rationayzation.

the combination of opportunity

and capability.

If there are concerns about capabili- ty, respond accordingly. If someone's capabilities present a significant risk fac- tor, respond with stronger controls or enhanced audit testing. For example, if the sales vice president is overly aggressive, competitive, and obsessed with hitting monthly sales quotas, there may be a need for extra-tight controls over revenue recog- nition or expanded testing of sales during the annual audit. In addition, implement- ing a periodic rotation of routine, but key, ftinctions among staff can minimize

the opportunities for fraud gained from long-term knowledge of the function and its controls.

In this response phase, a key to miti- gating fraud is to focus particular atten- tion on situations offering, in addition to incentive and rationalization, the combi- nation of opportunity and capability. In other words. "Do we have any dtxirways to fraud that can be opened by people with the right set of keys?" If so, these areas are especially high risk, because all the ele- ments are in place for a fraud opportunity 10 become reality.

For example, when designing detec- tion systems, it is important to consider who within the organization has the capability to quash a red flag, or to cause a potential inquiry by internal auditors to be redirected. Cynthia Cooper, the inter- nal auditor at WorldCom credited with dis- covering the massive fraud, has described in Time magazine how CFO Scott Sullivan had exercised his position and seniority to dissuade her team from looking into cer- tain areas that later proved to have been infested with massive fraud. But believing they were on to something, her teams worked behind Sullivan's back, on many occasions at night or from home, to avoid detection and retribution. Although it appears he tried, according to Cooper, in this instance Sullivan was not capable of completely thwarting the persistent efforts of the auditors to uncover the apparent fraud.

Reassess the capabilities of top execu- tives and key personnel. Assessing capa- bility and responding to concerns should not be viewed as one-time exercises. Continuous updating of the capability assessment and response is warranted for two reasons. First, people can develop new capabilities over time, especially if they are climbing the corporate ladder and growing professionally. Just because someone did not have enough power or knowledge of an area to commit fraud in the past, there is no guarantee that the person will not develop such power or knowledge in the future. Their capability to commit fraud may increase, and additional controls or scrutiny may be warranted.

Second, organizational processes, con- trols, and circumstances change over time. As a result, some people may be bet- ter suited to commit fraud in the new envi-

ronment, even though they were not capable under previous conditions. For example, consider a company that has recently implemented a complex new IT system. The new system may render those less digitally sophisticated employ- ees incapable of exploiting its controls. On the other hand, for those with strong IT skills, the change might increase their capa- bility of committing fraud. This new capa- bility should be considered, and appropri- ate responses implemented.

Beyond Standards In the final analysis, recent legisla-

tion, increased enforcement, regulatory oversight, broader controls, improved auditing standards, and sophisticated monitoring technology are all steps in the right direction and will contribute to preventing and detecting fraud. Limiting this effort to current standards and prac- tices may not be enough, however, especially for auditors. Consistent with this view, the 2(X)4 Miller GAAS Guide describes the fraud triangle elements pre- sented in SAS 99 and notes that "it is obvious that the Auditing Standards Board is struggling with the broad topic of how to detect fraud … auditors should be careful about following relevant pro- fessional standards and then having a sense of security about the likelihood that fraud does not exist in a particular engagement."

Accordingly, if capability could play a role in influencing or magnifying the other fraud elements, other checks and balances or detection systems should be imple- mented, or an auditor should expand audit scope, procedures, and testing for potential fraud. Q

David T. Wolfe, CPA, is the founder of Glasgow Forensic Group, a forensic accounting ftmi in Allanla. Ga., and has sen'ed a variety of clients, including top- tier taw firms, govemmenl agencies, pri- vately held small to mid-sized businesses, and Fortune 500 companies. Dana R. Hermanson, PhD, is a professor of accounting in the Coles College of Business at Kennesaw State University and currently serves as a research fellow of the Corporate Governance Center at the University of Tennessee.

4 2 DECEMBER 2 0 0 4 / THE CPA JOURNAL